XSS began to be disclosed in the 1990s, and since then its finding and utilization have drawn much attention. XSS, i.e., cross site scripting, is one of the approaches of stealing information from a user by taking advantage of web site vulnerabilities. When the user navigates through web sites, uses instant messaging software or reads emails, he will usually click on the links therein. Malicious hackers insert malicious codes in the links, so that when the user clicks on the links, the web server for generating a corresponding web page will have XSS vulnerabilities due to not filtering malicious codes and generate a web page containing malicious codes, which web page seems like a legal web page to be generated by the web site. Consequently, the malicious codes are executed in the user's computer to steal the user information bypassing the local security mechanism of the user, or even to launch Trojan attacks in the user machine to acquire control right of the user machine remotely. The hackers usually adopt hexadecimal encoding (or other encoding manners) to encode the links lest the user to doubt the legality of the link. XSS exists universally in the Internet currently, which poses an enormous threat to direct users. In recent years, XSS has beaten the Buffer Overflow and topped the most popular security vulnerabilities. About at least 68% of the web sites have XSS vulnerabilities.
The XSS detection can be divided into remote active detection and local passive detection in view of the approach of detection. The local passive detection technique is mainly applied in the browser, and currently, both IE8 and the noscript plug-ins of Firefox support XSS detection. The remote active detection is mainly applied in the detection tools such as remote vulnerability scanners. The present invention focuses on making improvement with respect to the remote detection technique.
With the enhanced knowledge of security, web site programmers may perform some special processing of the parameters input by the user, and the special processing brings some difficulties to the remote scanning of XSS vulnerabilities, and especially, it can easily bring false alarms to the remote scanning.
Several approaches for the remote scanning of XSS vulnerabilities of web servers have been proposed. U.S. Pat. No. 7,343,626B1 has disclosed a method and a system for automated detection of XSS vulnerabilities in a web site to be tested, comprising: for a web page of the web site, finding out all the parameter-value pairs; for each parameter-value pair, constructing a dedicated tracer value and submitting the constructed parameter-value pair to the web server to request for a web page; if the dedicated tracer value is found in the returned web page, it means that the web page may have XSS vulnerabilities; based on the position in the web site where the dedicated tracer value appears, constructing a second dedicated tracer value comprising a script and submitting the second dedicated tracer value to the web server, and determining whether the web page has XSS vulnerabilities depending on whether the returned web page executes the script. However, according to the method disclosed in the U.S. Pat. No. 7,343,626B1, the parameter-value pairs should be submitted twice, which results in low execution efficiency. In addition, the method also requires constructing a second dedicated tracer value comprising a script based on the position where the dedicated tracer value appears, and with the development of network techniques, XSS vulnerabilities may appear in other positions, and as a result, the method may not be able to detect the XSS vulnerabilities comprehensively.
Some open source software have also disclosed other methods for remote detection of XSS vulnerabilities, and the principle is generally as follows: for a certain web page to be detected, first determining the parameter-value pair accepted by the web page, and then for each parameter, constructing a dedicated value and making a request to the web server for the web page utilizing the specially constructed parameter-value pairs, and finally determining whether vulnerabilities exist depending on the returned information. The methods for analyzing the returned information adopt a matching based on the regular expressions. In the detection methods of the open source software, the returned information is analyzed by regular expressions matching based on characterized strings to determine whether XSS vulnerabilities exist, which in certain cases, may give rise to false alarms or omissions. Furthermore, for DOM-based XSS vulnerabilities, these methods cannot determine whether the vulnerabilities can be triggered. For instance, although the returned web page comprises the constructed dedicated value, the dedicated value cannot be executed, these methods still consider that the web page contains XSS vulnerabilities, and this is, however, not the case actually.
It can be seen that in this technical field, no method or device can completely and effectively detect XSS vulnerabilities yet. The present invention attempts to provide a solution for completely automated detection of XSS vulnerabilities in a comprehensive and effective manner by improving the methods proposed in the open source software.